Management

References: Man Page Install Docker Tutorial Docker Containers Can Do Too Much Your containers can do too much. Look at all the capabilities a Docker container gets by default: - SYS_ADMIN - NET_ADMIN - NET_RAW - FOWNER - SETGID - SETUID - CHOWN - AUDIT_CONTROL - AUDIT_READ - AUDIT_WRITE - BLOCK_SUSPEND - BPF - CHECKPOINT_RESTORE - DAC_READ_SEARCH - DAC_OVERRIDE - FSETID - IPC_LOCK - KILL - LEASE - LINUX_IMMUTABLE - MAC_ADMIN - MAC_OVERRIDE - MKNOD - NET_ADMIN - NET_BIND_SERVICE - NET_BROADCAST - PERFMON - SETFCAP - SETPCAP - SYS_BOOT - SYS_CHROOT - SYS_NICE - SYS_PACCT - SYS_PTRACE - SYS_RAWIO - SYS_RESOURCE - SYS_TIME - SYS_TTY_CONFIG - SYSLOG - WAKE_ALARM This should clearly be limited. Containers share functions of the host kernel, it’s how they cut down on overhead. Giving unecessary permissions violates the security principle of least privilege. So, how go about it? ...

References TechHut Dockhand Dockhand Documentation Setup Docker Compose: services: dockhand: image: fnsys/dockhand:latest container_name: dockhand restart: unless-stopped ports: - "3000:3000" volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data:/app/data - /home/mechanicus/Code/compose:/mnt/compose Notes: using a separate data directory instead of a volume mount will make the container easier to manage and transfer if necessary Adding Environments My preferred method is to use the hawser connector: docker run -d --name hawser --restart unless-stopped \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /home/mechanicus/code/docker-compose/:/mnt/compose \ -p 2376:2376 -e TOKEN==[SECURE TOKEN] \ ghcr.io/finsys/hawser:latest Note: Include the location of compose files for easier management ...

Description Portainer is a web-based Docker management interface that allows users to easily manage their Docker containers, networks, and volumes. It provides a simple and intuitive way to view and interact with your Docker environment. Installation Install Docker Create the Portainer server database: docker volume create portainer_data Download and install Portainer-CE docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest Things I’ve Learned To update the container’s name in the yaml file, use the container_name: variable If a stack is unable to be deleted, it’s likely because the /var/lib/docker/volumes/portiner_data/_data/compose file is missing. You’ll have to recreate that numbered file and a docker-compose.yml in the directory in order to delete the stack. After Setup remove the 8000 port bind docker run -d -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest See also: Setup automatic updates with [[Watchtower]] or [[Shepherd]]. References Portainer-CE Container Names

References: Shepherd Docker Compose Examples Shepherd Github Shepherd on hub.docker.com About Shepherd is a Docker swarm service for automatically updating your services whenever their base image is refreshed. Variables Default check time is every 5 minutes. Change this with the SLEEP_TIME variable. Control which services aren’t updated with the IGNORELIST_SERVICES variable. Ignored services should be in a space separated list of service names. As an alternative to ignore, use FILTER_SERVICES to specify which services you want updated. Notifications can be enabled through the appraise micro service and the APPRISE_SIDECAR_URL variable. Set the timezone with the TZ variable. Note, do not include quotations for the timezone. Clean up old services with IMAGE_AUTOCLEAN_LIMIT, the variable set keeps that number of old images. Setup: Docker Compose version: "3" services: app: image: containrrr/shepherd environment: APPRISE_SIDECAR_URL: notify:5000 TZ: Pacific/Honolulu IMAGE_AUTOCLEAN_LIMIT: 2 SLEEP_TIME: '360m' FILTER_SERVICES: "label=shepherd.autodeploy" VERBOSE: 'true' volumes: - /var/run/docker.sock:/var/run/docker.sock networks: - notification deploy: placement: constraints: - node.role == manager notify: image: mazzolino/apprise-microservice:latest environment: NOTIFICATION_URLS: discord:[add your URL here] networks: - notification networks: notification: Docker Run docker service create --name shepherd --constraint "node.role==manager" --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock,ro containrrr/shepherd Notes: Notifications runs through the apprise microservice which runs on Apprise. The format for discord notifications is: discord://webhook_id/webhook_token or discord://avatar@webhook_id/webhook_token.